SBTA#: Sunbelt Threat Advisory #09-0309

New Conficker/Downadup Worm Variants

Sunbelt researchers have discovered several new variants of the
Conficker/Downadup worm in the "wild." These new variants shut down known
anti-malware programs and block access to the sites of anti-malware vendors.
They also employ a revised algorithm to generate domains used to host payloads and
store sensitive data harvested from compromised PCs. Detections for these new
Conficker/Downadup variants are included in the latest definitions for Sunbelt
VIPRE and CounterSpy.

The latest definitions for VIPRE and CounterSpy will detect and
block Conficker/Downadup, preventing PCs protected by Sunbelt from being overrun
by the worm. Users and administrators who are dealing with previously infested
PCs are advised not only to update to the latest definitions for CounterSpy and
VIPRE, but to download and use the Sunbelt Conficker Removal Tool in addition to
VIPRE and CounterSpy:

Administrators of networks should remove affected PCs from the network before
attempting to clean those PCs of Conficker/Downadup, as the worm can spread via
network connections.

The Conficker/Downadup worm exploits a known security vulnerability that was
fixed by Microsoft in October 2008. Sunbelt strongly advises all users and
administrators to apply the security patch released by Microsoft to prevent PCs
from being re-infested by this worm:

Conficker attempts to patch this flaw using a binary patch NetpwPathCanonicalize()
and is detectable. Sunbelt Network Security Inspector (SNSI) will detect this flaw
(definition version 170) and alert the administrator to any potentially infected machines
on the network. If you are currently using SNSI, please make sure you have the latest
definitions and run a scan to determine whether any systems on your network are infected.
If you do not currently use SNSI, please visit
http://www.sunbeltsoftware.com/Business/Sunbelt-Network-Security-Inspector/ for more
information

DETECTION:

Detection and remediation for this threat
(Worm.Win32.Downadup.Gen) is included in definitions
#5028
(released 7 Mar. 2009) and later for Sunbelt VIPRE and CounterSpy.

To use these definitions and be protected against this threat you must be
running VIPRE or CounterSpy version 3.1. Earlier versions of VIPRE and
CounterSpy do not protect against this threat.

UPDATES:

Definition updates are delivered automatically through VIPRE and
CounterSpy. The latest definitions for VIPRE can be manually downloaded and
applied from: